This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
public static Object evaluate(String expression) { | |
ExpressionFactory factory = new de.odysseus.el.ExpressionFactoryImpl(); | |
ELContext context = new de.odysseus.el.util.SimpleContext(); | |
ValueExpression e = factory.createValueExpression(context, expression, Object.class); | |
return e.getValue(context); | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
private class ExpressionEvaluationSink extends DataFlow::ExprNode { | |
ExpressionEvaluationSink() { | |
exists(MethodAccess ma, Method m, Expr taintFrom | | |
ma.getMethod() = m and taintFrom = this.asExpr() | |
| | |
m.getDeclaringType() instanceof ValueExpression and | |
m.hasName(["getValue", "setValue"]) and | |
ma.getQualifier() = taintFrom | |
or | |
m.getDeclaringType() instanceof MethodExpression and |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
class JakartaExpressionInjectionConfig extends TaintTracking::Configuration { | |
JakartaExpressionInjectionConfig() { this = "JakartaExpressionInjectionConfig" } | |
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } | |
override predicate isSink(DataFlow::Node sink) { sink instanceof ExpressionEvaluationSink } | |
override predicate isAdditionalTaintStep(DataFlow::Node fromNode, DataFlow::Node toNode) { | |
any(TaintPropagatingCall c).taintFlow(fromNode, toNode) or | |
hasGetterFlow(fromNode, toNode) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import java | |
import semmle.code.java.frameworks.spring.SpringBean | |
/** | |
* Holds if `type` is `RemoteInvocationSerializingExporter`. | |
*/ | |
predicate isRemoteInvocationSerializingExporter(RefType type) { | |
type.getASupertype*() | |
.hasQualifiedName("org.springframework.remoting.rmi", "RemoteInvocationSerializingExporter") | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import java | |
import UnsafeSpringExporterLib | |
/** | |
* Holds if `type` is `RemoteInvocationSerializingExporter`. | |
*/ | |
predicate isRemoteInvocationSerializingExporter(RefType type) { | |
type.getASupertype*() | |
.hasQualifiedName("org.springframework.remoting.rmi", "RemoteInvocationSerializingExporter") | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0" encoding="UTF-8"?> | |
<beans xmlns="http://www.springframework.org/schema/beans" | |
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
xmlns:context="http://www.springframework.org/schema/context" | |
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd | |
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd"> | |
<bean id="accountService" class="com.gypsyengineer.server.AccountServiceImpl"/> | |
<bean name="/account" class="org.springframework.remoting.httpinvoker.HttpInvokerServiceExporter"> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@Configuration | |
class Server { | |
@Bean(name = "/account") | |
HttpInvokerServiceExporter accountService() { | |
HttpInvokerServiceExporter exporter = new HttpInvokerServiceExporter(); | |
exporter.setService(new AccountServiceImpl()); | |
exporter.setServiceInterface(AccountService.class); | |
return exporter; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
private class JexlEvaluationSink extends DataFlow::ExprNode { | |
JexlEvaluationSink() { | |
exists(MethodAccess ma, Method m, Expr taintFrom | | |
ma.getMethod() = m and taintFrom = this.asExpr() | |
| | |
m instanceof DirectJexlEvaluationMethod and ma.getQualifier() = taintFrom | |
or | |
m instanceof CreateJexlCallableMethod and ma.getQualifier() = taintFrom | |
or | |
m instanceof JexlEngineGetSetPropertyMethod and |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
class JexlInjectionConfig extends TaintTracking::Configuration { | |
JexlInjectionConfig() { this = "JexlInjectionConfig" } | |
override predicate isSource(DataFlow::Node source) { | |
source instanceof RemoteFlowSource | |
} | |
override predicate isSink(DataFlow::Node sink) { sink instanceof JexlEvaluationSink } | |
override predicate isAdditionalTaintStep(DataFlow::Node fromNode, DataFlow::Node toNode) { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
void runJexl(String jexlExpr) { | |
JexlUberspect sandbox = new JexlUberspectSandbox(); | |
JexlEngine jexl = new JexlBuilder().uberspect(sandbox).create(); | |
JexlExpression expression = jexl.createExpression(jexlExpr); | |
JexlContext context = new MapContext(); | |
expression.evaluate(context); | |
} | |
private static class JexlUberspectSandbox implements JexlUberspect { |